1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
25 * Copyright 2019 Joyent, Inc.
26 * Copyright 2017 Jason King.
27 * Copyright 2025 RackTop Systems, Inc.
28 */
29
30 #include <pthread.h>
31 #include <stdlib.h>
32 #include <string.h>
33 #include <strings.h>
34 #include <sys/debug.h>
35 #include <sys/types.h>
36 #include <security/cryptoki.h>
37 #include <aes_impl.h>
38 #include <cryptoutil.h>
39 #include "softSession.h"
40 #include "softObject.h"
41 #include "softCrypt.h"
42 #include "softOps.h"
43
44 /*
45 * Check that the mechanism parameter is present and the correct size if
46 * required and allocate an AES context.
47 */
48 static CK_RV
soft_aes_check_mech_param(CK_MECHANISM_PTR mech,aes_ctx_t ** ctxp)49 soft_aes_check_mech_param(CK_MECHANISM_PTR mech, aes_ctx_t **ctxp)
50 {
51 void *(*allocf)(int) = NULL;
52 size_t param_len = 0;
53 boolean_t param_req = B_TRUE;
54
55 switch (mech->mechanism) {
56 case CKM_AES_ECB:
57 param_req = B_FALSE;
58 allocf = ecb_alloc_ctx;
59 break;
60 case CKM_AES_CMAC:
61 param_req = B_FALSE;
62 allocf = cmac_alloc_ctx;
63 break;
64 case CKM_AES_CMAC_GENERAL:
65 param_len = sizeof (CK_MAC_GENERAL_PARAMS);
66 allocf = cmac_alloc_ctx;
67 break;
68 case CKM_AES_CBC:
69 case CKM_AES_CBC_PAD:
70 param_len = AES_BLOCK_LEN;
71 allocf = cbc_alloc_ctx;
72 break;
73 case CKM_AES_CTR:
74 param_len = sizeof (CK_AES_CTR_PARAMS);
75 allocf = ctr_alloc_ctx;
76 break;
77 case CKM_AES_CCM:
78 param_len = sizeof (CK_CCM_PARAMS);
79 allocf = ccm_alloc_ctx;
80 break;
81 case CKM_AES_GCM:
82 param_len = sizeof (CK_GCM_PARAMS);
83 allocf = gcm_alloc_ctx;
84 break;
85 default:
86 return (CKR_MECHANISM_INVALID);
87 }
88
89 if (param_req && (mech->pParameter == NULL ||
90 mech->ulParameterLen != param_len)) {
91 return (CKR_MECHANISM_PARAM_INVALID);
92 }
93
94 *ctxp = allocf(0);
95 if (*ctxp == NULL) {
96 return (CKR_HOST_MEMORY);
97 }
98
99 return (CKR_OK);
100 }
101
102 /*
103 * Create an AES key schedule for the given AES context from the given key.
104 * If the key is not sensitive, cache a copy of the key schedule in the
105 * key object and/or use the cached copy of the key schedule.
106 *
107 * Must be called before the init function for a given mode is called.
108 */
109 static CK_RV
soft_aes_init_key(aes_ctx_t * aes_ctx,soft_object_t * key_p)110 soft_aes_init_key(aes_ctx_t *aes_ctx, soft_object_t *key_p)
111 {
112 void *ks = NULL;
113 size_t size = 0;
114 CK_RV rv = CKR_OK;
115
116 (void) pthread_mutex_lock(&key_p->object_mutex);
117
118 /*
119 * AES keys should be either 128, 192, or 256 bits long.
120 * soft_object_t stores the key size in bytes, so we check those sizes
121 * in bytes.
122 *
123 * While soft_build_secret_key_object() does these same validations for
124 * keys created by the user, it may be possible that a key loaded from
125 * disk could be invalid or corrupt. We err on the side of caution
126 * and check again that it's the correct size before performing any
127 * AES operations.
128 */
129 switch (OBJ_SEC_VALUE_LEN(key_p)) {
130 case AES_MIN_KEY_BYTES:
131 case AES_MAX_KEY_BYTES:
132 case AES_192_KEY_BYTES:
133 break;
134 default:
135 rv = CKR_KEY_SIZE_RANGE;
136 goto done;
137 }
138
139 ks = aes_alloc_keysched(&size, 0);
140 if (ks == NULL) {
141 rv = CKR_HOST_MEMORY;
142 goto done;
143 }
144
145 /* If this is a sensitive key, always expand the key schedule */
146 if (key_p->bool_attr_mask & SENSITIVE_BOOL_ON) {
147 /* aes_init_keysched() requires key length in bits. */
148 #ifdef __sparcv9
149 /* LINTED */
150 aes_init_keysched(OBJ_SEC_VALUE(key_p), (uint_t)
151 (OBJ_SEC_VALUE_LEN(key_p) * NBBY), ks);
152 #else /* !__sparcv9 */
153 aes_init_keysched(OBJ_SEC_VALUE(key_p),
154 (OBJ_SEC_VALUE_LEN(key_p) * NBBY), ks);
155 #endif /* __sparcv9 */
156
157 goto done;
158 }
159
160 /* If a non-sensitive key and doesn't have a key schedule, create it */
161 if (OBJ_KEY_SCHED(key_p) == NULL) {
162 void *obj_ks = NULL;
163
164 obj_ks = aes_alloc_keysched(&size, 0);
165 if (obj_ks == NULL) {
166 rv = CKR_HOST_MEMORY;
167 goto done;
168 }
169
170 #ifdef __sparcv9
171 /* LINTED */
172 aes_init_keysched(OBJ_SEC_VALUE(key_p),
173 (uint_t)(OBJ_SEC_VALUE_LEN(key_p) * 8), obj_ks);
174 #else /* !__sparcv9 */
175 aes_init_keysched(OBJ_SEC_VALUE(key_p),
176 (OBJ_SEC_VALUE_LEN(key_p) * 8), obj_ks);
177 #endif /* __sparcv9 */
178
179 OBJ_KEY_SCHED_LEN(key_p) = size;
180 OBJ_KEY_SCHED(key_p) = obj_ks;
181 }
182
183 (void) memcpy(ks, OBJ_KEY_SCHED(key_p), OBJ_KEY_SCHED_LEN(key_p));
184
185 done:
186 (void) pthread_mutex_unlock(&key_p->object_mutex);
187
188 if (rv == CKR_OK) {
189 aes_ctx->ac_keysched = ks;
190 aes_ctx->ac_keysched_len = size;
191 } else {
192 freezero(ks, size);
193 }
194
195 return (rv);
196 }
197
198 /*
199 * Initialize the AES context for the given mode, including allocating and
200 * expanding the key schedule if required.
201 */
202 static CK_RV
soft_aes_init_ctx(aes_ctx_t * aes_ctx,CK_MECHANISM_PTR mech_p,boolean_t encrypt)203 soft_aes_init_ctx(aes_ctx_t *aes_ctx, CK_MECHANISM_PTR mech_p,
204 boolean_t encrypt)
205 {
206 int rc = CRYPTO_SUCCESS;
207
208 switch (mech_p->mechanism) {
209 case CKM_AES_ECB:
210 aes_ctx->ac_flags |= ECB_MODE;
211 break;
212 case CKM_AES_CMAC:
213 case CKM_AES_CMAC_GENERAL:
214 rc = cmac_init_ctx((cbc_ctx_t *)aes_ctx, AES_BLOCK_LEN);
215 break;
216 case CKM_AES_CBC:
217 case CKM_AES_CBC_PAD:
218 rc = cbc_init_ctx((cbc_ctx_t *)aes_ctx, mech_p->pParameter,
219 mech_p->ulParameterLen, AES_BLOCK_LEN, aes_copy_block64);
220 break;
221 case CKM_AES_CTR:
222 {
223 /*
224 * soft_aes_check_param() verifies this is !NULL and is the
225 * correct size.
226 */
227 CK_AES_CTR_PARAMS *pp = (CK_AES_CTR_PARAMS *)mech_p->pParameter;
228
229 rc = ctr_init_ctx((ctr_ctx_t *)aes_ctx, pp->ulCounterBits,
230 pp->cb, aes_encrypt_block, aes_copy_block);
231 break;
232 }
233 case CKM_AES_CCM: {
234 CK_CCM_PARAMS *pp = (CK_CCM_PARAMS *)mech_p->pParameter;
235
236 /*
237 * The illumos ccm mode implementation predates the PKCS#11
238 * version that specifies CK_CCM_PARAMS. As a result, the order
239 * and names of the struct members are different, so we must
240 * translate. ccm_init_ctx() does not store a ref ccm_params,
241 * so it is safe to allocate on the stack.
242 */
243 CK_AES_CCM_PARAMS ccm_params = {
244 .ulMACSize = pp->ulMACLen,
245 .ulNonceSize = pp->ulNonceLen,
246 .ulAuthDataSize = pp->ulAADLen,
247 .ulDataSize = pp->ulDataLen,
248 .nonce = pp->pNonce,
249 .authData = pp->pAAD
250 };
251
252 rc = ccm_init_ctx((ccm_ctx_t *)aes_ctx, (char *)&ccm_params, 0,
253 encrypt, AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
254 break;
255 }
256 case CKM_AES_GCM:
257 /*
258 * Similar to the ccm mode implementation, the gcm mode also
259 * predates PKCS#11 2.40, however in this instance
260 * CK_AES_GCM_PARAMS and CK_GCM_PARAMS are identical except
261 * for the member names, so we can just pass it along.
262 */
263 rc = gcm_init_ctx((gcm_ctx_t *)aes_ctx, mech_p->pParameter,
264 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
265 aes_xor_block);
266 break;
267 }
268
269 return (crypto2pkcs11_error_number(rc));
270 }
271
272 /*
273 * Allocate context for the active encryption or decryption operation, and
274 * generate AES key schedule to speed up the operation.
275 */
276 CK_RV
soft_aes_crypt_init_common(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,soft_object_t * key_p,boolean_t encrypt)277 soft_aes_crypt_init_common(soft_session_t *session_p,
278 CK_MECHANISM_PTR pMechanism, soft_object_t *key_p,
279 boolean_t encrypt)
280 {
281 aes_ctx_t *aes_ctx = NULL;
282 CK_RV rv = CKR_OK;
283
284 if (key_p->key_type != CKK_AES)
285 return (CKR_KEY_TYPE_INCONSISTENT);
286
287 /* C_{Encrypt,Decrypt}Init() validate pMechanism != NULL */
288 rv = soft_aes_check_mech_param(pMechanism, &aes_ctx);
289 if (rv != CKR_OK) {
290 goto done;
291 }
292
293 rv = soft_aes_init_key(aes_ctx, key_p);
294 if (rv != CKR_OK) {
295 goto done;
296 }
297
298 rv = soft_aes_init_ctx(aes_ctx, pMechanism, encrypt);
299 if (rv != CKR_OK) {
300 goto done;
301 }
302
303 (void) pthread_mutex_lock(&session_p->session_mutex);
304 if (encrypt) {
305 /* Called by C_EncryptInit. */
306 session_p->encrypt.context = aes_ctx;
307 session_p->encrypt.mech.mechanism = pMechanism->mechanism;
308 } else {
309 /* Called by C_DecryptInit. */
310 session_p->decrypt.context = aes_ctx;
311 session_p->decrypt.mech.mechanism = pMechanism->mechanism;
312 }
313 (void) pthread_mutex_unlock(&session_p->session_mutex);
314
315 done:
316 if (rv != CKR_OK) {
317 soft_aes_free_ctx(aes_ctx);
318 }
319
320 return (rv);
321 }
322
323
324 CK_RV
soft_aes_encrypt(soft_session_t * session_p,CK_BYTE_PTR pData,CK_ULONG ulDataLen,CK_BYTE_PTR pEncryptedData,CK_ULONG_PTR pulEncryptedDataLen)325 soft_aes_encrypt(soft_session_t *session_p, CK_BYTE_PTR pData,
326 CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
327 CK_ULONG_PTR pulEncryptedDataLen)
328 {
329 aes_ctx_t *aes_ctx = session_p->encrypt.context;
330 CK_MECHANISM_TYPE mech = session_p->encrypt.mech.mechanism;
331 size_t length_needed;
332 size_t remainder;
333 int rc = CRYPTO_SUCCESS;
334 CK_RV rv = CKR_OK;
335 crypto_data_t out = {
336 .cd_format = CRYPTO_DATA_RAW,
337 .cd_offset = 0,
338 .cd_length = *pulEncryptedDataLen,
339 .cd_raw.iov_base = (char *)pEncryptedData,
340 .cd_raw.iov_len = *pulEncryptedDataLen
341 };
342
343 /*
344 * A bit unusual, but it's permissible for ccm and gcm modes to not
345 * encrypt any data. This ends up being equivalent to CKM_AES_CMAC
346 * or CKM_AES_GMAC of the additional authenticated data (AAD).
347 */
348 if ((pData == NULL || ulDataLen == 0) &&
349 !(aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|CMAC_MODE))) {
350 return (CKR_ARGUMENTS_BAD);
351 }
352
353 remainder = ulDataLen % AES_BLOCK_LEN;
354
355 /*
356 * CTR, CCM, CMAC, and GCM modes do not require the plaintext
357 * to be a multiple of the AES block size. CKM_AES_CBC_PAD as the
358 * name suggests pads it's output, so it can also accept any
359 * size plaintext.
360 */
361 switch (mech) {
362 case CKM_AES_CBC_PAD:
363 case CKM_AES_CMAC:
364 case CKM_AES_CMAC_GENERAL:
365 case CKM_AES_CTR:
366 case CKM_AES_CCM:
367 case CKM_AES_GCM:
368 break;
369 default:
370 if (remainder != 0) {
371 rv = CKR_DATA_LEN_RANGE;
372 goto cleanup;
373 }
374 }
375
376 switch (mech) {
377 case CKM_AES_CCM:
378 length_needed = ulDataLen + aes_ctx->ac_mac_len;
379 break;
380 case CKM_AES_GCM:
381 length_needed = ulDataLen + aes_ctx->ac_tag_len;
382 break;
383 case CKM_AES_CMAC:
384 case CKM_AES_CMAC_GENERAL:
385 length_needed = AES_BLOCK_LEN;
386 break;
387 case CKM_AES_CBC_PAD:
388 /* CKM_AES_CBC_PAD always adds 1..AES_BLOCK_LEN of padding */
389 length_needed = ulDataLen + AES_BLOCK_LEN - remainder;
390 break;
391 default:
392 length_needed = ulDataLen;
393 break;
394 }
395
396 if (pEncryptedData == NULL) {
397 /*
398 * The application can ask for the size of the output buffer
399 * with a NULL output buffer (pEncryptedData).
400 * C_Encrypt() guarantees pulEncryptedDataLen != NULL.
401 */
402 *pulEncryptedDataLen = length_needed;
403 return (CKR_OK);
404 }
405
406 if (*pulEncryptedDataLen < length_needed) {
407 *pulEncryptedDataLen = length_needed;
408 return (CKR_BUFFER_TOO_SMALL);
409 }
410
411 if (ulDataLen > 0) {
412 rv = soft_aes_encrypt_update(session_p, pData, ulDataLen,
413 pEncryptedData, pulEncryptedDataLen);
414
415 if (rv != CKR_OK) {
416 rv = CKR_FUNCTION_FAILED;
417 goto cleanup;
418 }
419
420 /*
421 * Some modes (e.g. CCM and GCM) will append data such as a MAC
422 * to the ciphertext after the plaintext has been encrypted.
423 * Update out to reflect the amount of data in pEncryptedData
424 * after encryption.
425 */
426 out.cd_offset = *pulEncryptedDataLen;
427 }
428
429 switch (mech) {
430 case CKM_AES_CBC_PAD: {
431 /*
432 * aes_encrypt_contiguous_blocks() accumulates plaintext
433 * in aes_ctx until it has at least one full block of
434 * plaintext. Any partial blocks of data remaining after
435 * encrypting are left for subsequent calls to
436 * aes_encrypt_contiguous_blocks(). If the input happened
437 * to be an exact multiple of AES_BLOCK_LEN, we must still
438 * append a block of padding (a full block in that case) so
439 * that the correct amount of padding to remove is known
440 * during decryption.
441 *
442 * soft_add_pkcs7_padding() is a bit overkill -- we just
443 * create a block filled with the pad amount using memset(),
444 * and encrypt 'amt' bytes of the block to pad out the input.
445 */
446 char block[AES_BLOCK_LEN];
447 size_t amt = AES_BLOCK_LEN - remainder;
448
449 VERIFY3U(remainder, ==, aes_ctx->ac_remainder_len);
450
451 (void) memset(block, amt & 0xff, sizeof (block));
452 rc = aes_encrypt_contiguous_blocks(aes_ctx, block, amt, &out);
453 rv = crypto2pkcs11_error_number(rc);
454 explicit_bzero(block, sizeof (block));
455 break;
456 }
457 case CKM_AES_CCM:
458 rc = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, &out,
459 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
460 rv = crypto2pkcs11_error_number(rc);
461 break;
462 case CKM_AES_GCM:
463 rc = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, &out,
464 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
465 aes_xor_block);
466 rv = crypto2pkcs11_error_number(rc);
467 break;
468 case CKM_AES_CMAC:
469 case CKM_AES_CMAC_GENERAL:
470 rc = cmac_mode_final((cbc_ctx_t *)aes_ctx, &out,
471 aes_encrypt_block, aes_xor_block);
472 rv = crypto2pkcs11_error_number(rc);
473 aes_ctx->ac_remainder_len = 0;
474 break;
475 case CKM_AES_CTR:
476 /*
477 * As CKM_AES_CTR is a stream cipher, ctr_mode_final is always
478 * invoked in the xx_update() functions, so we do not need to
479 * call it again here.
480 */
481 break;
482 case CKM_AES_ECB:
483 case CKM_AES_CBC:
484 /*
485 * These mechanisms do not have nor require a xx_final function.
486 */
487 break;
488 default:
489 rv = CKR_MECHANISM_INVALID;
490 break;
491 }
492
493 cleanup:
494 switch (rv) {
495 case CKR_OK:
496 *pulEncryptedDataLen = out.cd_offset;
497 break;
498 case CKR_BUFFER_TOO_SMALL:
499 /* *pulEncryptedDataLen was set earlier */
500 break;
501 default:
502 /* something else failed */
503 *pulEncryptedDataLen = 0;
504 break;
505 }
506
507 (void) pthread_mutex_lock(&session_p->session_mutex);
508 soft_aes_free_ctx(aes_ctx);
509 session_p->encrypt.context = NULL;
510 (void) pthread_mutex_unlock(&session_p->session_mutex);
511
512 return (rv);
513 }
514
515 static CK_RV
soft_aes_cbc_pad_decrypt(aes_ctx_t * aes_ctx,CK_BYTE_PTR pEncryptedData,CK_ULONG ulEncryptedDataLen,crypto_data_t * out_orig)516 soft_aes_cbc_pad_decrypt(aes_ctx_t *aes_ctx, CK_BYTE_PTR pEncryptedData,
517 CK_ULONG ulEncryptedDataLen, crypto_data_t *out_orig)
518 {
519 aes_ctx_t *ctx = aes_ctx;
520 uint8_t *buf = NULL;
521 uint8_t *outbuf = (uint8_t *)out_orig->cd_raw.iov_base;
522 crypto_data_t out = *out_orig;
523 size_t i;
524 int rc;
525 CK_RV rv = CKR_OK;
526 uint8_t pad_len;
527 boolean_t speculate = B_FALSE;
528
529 /*
530 * Just a query for the output size. When the output buffer is
531 * NULL, we are allowed to return a size slightly larger than
532 * necessary. We know the output will never be larger than the
533 * input ciphertext, so we use that as an estimate.
534 */
535 if (out_orig->cd_raw.iov_base == NULL) {
536 out_orig->cd_length = ulEncryptedDataLen;
537 return (CKR_OK);
538 }
539
540 /*
541 * The output plaintext size will be 1..AES_BLOCK_LEN bytes
542 * smaller than the input ciphertext. However we cannot know
543 * exactly how much smaller until we decrypt the entire
544 * input ciphertext. If we are unsure we have enough output buffer
545 * space, we have to allocate our own memory to hold the output,
546 * then see if we have enough room to hold the result.
547 *
548 * Unfortunately, having an output buffer that's too small does
549 * not terminate the operation, nor are we allowed to return
550 * partial results. Therefore we must also duplicate the initial
551 * aes_ctx so that this can potentially be run again.
552 */
553 if (out_orig->cd_length < ulEncryptedDataLen) {
554 void *ks = malloc(aes_ctx->ac_keysched_len);
555
556 ctx = malloc(sizeof (*aes_ctx));
557 buf = malloc(ulEncryptedDataLen);
558 if (ks == NULL || ctx == NULL || buf == NULL) {
559 free(ks);
560 free(ctx);
561 free(buf);
562 return (CKR_HOST_MEMORY);
563 }
564
565 bcopy(aes_ctx, ctx, sizeof (*ctx));
566 bcopy(aes_ctx->ac_keysched, ks, aes_ctx->ac_keysched_len);
567 ctx->ac_keysched = ks;
568
569 out.cd_length = ulEncryptedDataLen;
570 out.cd_raw.iov_base = (char *)buf;
571 out.cd_raw.iov_len = ulEncryptedDataLen;
572 outbuf = buf;
573
574 speculate = B_TRUE;
575 }
576
577 rc = aes_decrypt_contiguous_blocks(ctx, (char *)pEncryptedData,
578 ulEncryptedDataLen, &out);
579 if (rc != CRYPTO_SUCCESS) {
580 out_orig->cd_offset = 0;
581 rv = CKR_FUNCTION_FAILED;
582 goto done;
583 }
584
585 /*
586 * RFC5652 6.3 The amount of padding must be
587 * block_sz - (len mod block_size). This means
588 * the amount of padding must always be in the
589 * range [1..block_size].
590 */
591 pad_len = outbuf[ulEncryptedDataLen - 1];
592 if (pad_len == 0 || pad_len > AES_BLOCK_LEN) {
593 rv = CKR_ENCRYPTED_DATA_INVALID;
594 goto done;
595 }
596 out.cd_offset -= pad_len;
597
598 /*
599 * Verify pad values, trying to do so in as close to constant
600 * time as possible.
601 */
602 for (i = ulEncryptedDataLen - pad_len; i < ulEncryptedDataLen; i++) {
603 if (outbuf[i] != pad_len) {
604 rv = CKR_ENCRYPTED_DATA_INVALID;
605 }
606 }
607 if (rv != CKR_OK) {
608 goto done;
609 }
610
611 if (speculate) {
612 if (out.cd_offset <= out_orig->cd_length) {
613 bcopy(out.cd_raw.iov_base, out_orig->cd_raw.iov_base,
614 out.cd_offset);
615 } else {
616 rv = CKR_BUFFER_TOO_SMALL;
617 }
618 }
619
620 /*
621 * No matter what, we report the exact size required.
622 */
623 out_orig->cd_offset = out.cd_offset;
624
625 done:
626 freezero(buf, ulEncryptedDataLen);
627 if (ctx != aes_ctx) {
628 VERIFY(speculate);
629 soft_aes_free_ctx(ctx);
630 }
631
632 return (rv);
633 }
634
635 CK_RV
soft_aes_decrypt(soft_session_t * session_p,CK_BYTE_PTR pEncryptedData,CK_ULONG ulEncryptedDataLen,CK_BYTE_PTR pData,CK_ULONG_PTR pulDataLen)636 soft_aes_decrypt(soft_session_t *session_p, CK_BYTE_PTR pEncryptedData,
637 CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
638 {
639 aes_ctx_t *aes_ctx = session_p->decrypt.context;
640 CK_MECHANISM_TYPE mech = session_p->decrypt.mech.mechanism;
641 size_t length_needed;
642 size_t remainder;
643 int rc = CRYPTO_SUCCESS;
644 CK_RV rv = CKR_OK;
645 crypto_data_t out = {
646 .cd_format = CRYPTO_DATA_RAW,
647 .cd_offset = 0,
648 .cd_length = *pulDataLen,
649 .cd_raw.iov_base = (char *)pData,
650 .cd_raw.iov_len = *pulDataLen
651 };
652
653 /*
654 * A bit unusual, but it's permissible for ccm and gcm modes to not
655 * decrypt any data. This ends up being equivalent to CKM_AES_CMAC
656 * or CKM_AES_GMAC of the additional authenticated data (AAD).
657 */
658 if ((pEncryptedData == NULL || ulEncryptedDataLen == 0) &&
659 !(aes_ctx->ac_flags & (CCM_MODE|GCM_MODE))) {
660 return (CKR_ARGUMENTS_BAD);
661 }
662
663 remainder = ulEncryptedDataLen % AES_BLOCK_LEN;
664
665 /*
666 * CTR, CCM, CMAC, and GCM modes do not require the ciphertext
667 * to be a multiple of the AES block size. Note that while
668 * CKM_AES_CBC_PAD accepts an arbitrary sized plaintext, the
669 * ciphertext is always a multiple of the AES block size
670 */
671 switch (mech) {
672 case CKM_AES_CMAC:
673 case CKM_AES_CMAC_GENERAL:
674 case CKM_AES_CTR:
675 case CKM_AES_CCM:
676 case CKM_AES_GCM:
677 break;
678 default:
679 if (remainder != 0) {
680 rv = CKR_DATA_LEN_RANGE;
681 goto cleanup;
682 }
683 }
684
685 if (mech == CKM_AES_CBC_PAD) {
686 rv = soft_aes_cbc_pad_decrypt(aes_ctx, pEncryptedData,
687 ulEncryptedDataLen, &out);
688 if (pData == NULL || rv == CKR_BUFFER_TOO_SMALL) {
689 *pulDataLen = out.cd_offset;
690 return (rv);
691 }
692 goto cleanup;
693 }
694
695 switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE)) {
696 case CCM_MODE:
697 length_needed = aes_ctx->ac_processed_data_len;
698 break;
699 case GCM_MODE:
700 length_needed = ulEncryptedDataLen - aes_ctx->ac_tag_len;
701 break;
702 default:
703 /*
704 * Note: for CKM_AES_CBC_PAD, we cannot know exactly how much
705 * space is needed for the plaintext until after we decrypt it.
706 * However, it is permissible to return a value 'somewhat'
707 * larger than necessary (PKCS#11 Base Specification, sec 5.2).
708 *
709 * Since CKM_AES_CBC_PAD adds at most AES_BLOCK_LEN bytes to
710 * the plaintext, we report the ciphertext length as the
711 * required plaintext length. This means we specify at most
712 * AES_BLOCK_LEN additional bytes of memory for the plaintext.
713 *
714 * This behavior is slightly different from the earlier
715 * version of this code which returned the value of
716 * (ulEncryptedDataLen - AES_BLOCK_LEN), which was only ever
717 * correct when the original plaintext was already a multiple
718 * of AES_BLOCK_LEN (i.e. when AES_BLOCK_LEN of padding was
719 * added). This should not be a concern for existing
720 * consumers -- if they were previously using the value of
721 * *pulDataLen to size the outbut buffer, the resulting
722 * plaintext would be truncated anytime the original plaintext
723 * wasn't a multiple of AES_BLOCK_LEN. No consumer should
724 * be relying on such wrong behavior. More likely they are
725 * using the size of the ciphertext or larger for the
726 * buffer to hold the decrypted plaintext (which is always
727 * acceptable).
728 */
729 length_needed = ulEncryptedDataLen;
730 }
731
732 if (pData == NULL) {
733 /*
734 * The application can ask for the size of the output buffer
735 * with a NULL output buffer (pData).
736 * C_Decrypt() guarantees pulDataLen != NULL.
737 */
738 *pulDataLen = length_needed;
739 return (CKR_OK);
740 }
741
742 if (*pulDataLen < length_needed) {
743 *pulDataLen = length_needed;
744 return (CKR_BUFFER_TOO_SMALL);
745 }
746
747 if (ulEncryptedDataLen > 0) {
748 rv = soft_aes_decrypt_update(session_p, pEncryptedData,
749 ulEncryptedDataLen, pData, pulDataLen);
750 }
751
752 if (rv != CKR_OK) {
753 rv = CKR_FUNCTION_FAILED;
754 goto cleanup;
755 }
756
757 /*
758 * Some modes (e.g. CCM and GCM) will output additional data
759 * after the plaintext (such as the MAC). Update out to
760 * reflect the amount of data in pData for the _final() functions.
761 */
762 out.cd_offset = *pulDataLen;
763
764 /*
765 * As CKM_AES_CTR is a stream cipher, ctr_mode_final is always
766 * invoked in the _update() functions, so we do not need to call it
767 * here.
768 */
769 if (aes_ctx->ac_flags & CCM_MODE) {
770 ASSERT3U(aes_ctx->ac_processed_data_len, ==,
771 aes_ctx->ac_data_len);
772 ASSERT3U(aes_ctx->ac_processed_mac_len, ==,
773 aes_ctx->ac_mac_len);
774
775 rc = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, &out,
776 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
777 aes_xor_block);
778 rv = crypto2pkcs11_error_number(rc);
779 } else if (aes_ctx->ac_flags & GCM_MODE) {
780 rc = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, &out,
781 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
782 rv = crypto2pkcs11_error_number(rc);
783 }
784
785 cleanup:
786 if (rv == CKR_OK) {
787 *pulDataLen = out.cd_offset;
788 } else {
789 *pulDataLen = 0;
790 }
791
792 (void) pthread_mutex_lock(&session_p->session_mutex);
793 soft_aes_free_ctx(aes_ctx);
794 session_p->decrypt.context = NULL;
795 (void) pthread_mutex_unlock(&session_p->session_mutex);
796
797 return (rv);
798 }
799
800 CK_RV
soft_aes_encrypt_update(soft_session_t * session_p,CK_BYTE_PTR pData,CK_ULONG ulDataLen,CK_BYTE_PTR pEncryptedData,CK_ULONG_PTR pulEncryptedDataLen)801 soft_aes_encrypt_update(soft_session_t *session_p, CK_BYTE_PTR pData,
802 CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
803 CK_ULONG_PTR pulEncryptedDataLen)
804 {
805 aes_ctx_t *aes_ctx = session_p->encrypt.context;
806 crypto_data_t out = {
807 .cd_format = CRYPTO_DATA_RAW,
808 .cd_offset = 0,
809 .cd_length = *pulEncryptedDataLen,
810 .cd_raw.iov_base = (char *)pEncryptedData,
811 .cd_raw.iov_len = *pulEncryptedDataLen
812 };
813 CK_MECHANISM_TYPE mech = session_p->encrypt.mech.mechanism;
814 CK_RV rv = CKR_OK;
815 size_t out_len;
816 int rc;
817
818 /*
819 * If pData is NULL, we should have zero bytes to process, and
820 * the aes_encrypt_contiguous_blocks() call will be an effective no-op.
821 */
822 IMPLY(pData == NULL, ulDataLen == 0);
823
824 /* Check size of the output buffer */
825 switch (mech) {
826 case CKM_AES_CMAC:
827 /*
828 * The underlying CMAC implementation handles the storing of
829 * extra bytes and does not output any data until *_final,
830 * so do not bother looking at the size of the output
831 * buffer at this time.
832 */
833 out_len = 0;
834 break;
835 case CKM_AES_CTR:
836 /*
837 * CTR mode is a stream cipher, so we always output exactly as
838 * much ciphertext as input plaintext
839 */
840 out_len = ulDataLen;
841 break;
842 default:
843 out_len = aes_ctx->ac_remainder_len + ulDataLen;
844
845 /*
846 * The number of complete blocks we can encrypt right now.
847 * The underlying implementation will buffer any remaining data
848 * until the next *_update call.
849 */
850 out_len &= ~(AES_BLOCK_LEN - 1);
851 break;
852 }
853
854 if (pEncryptedData == NULL) {
855 *pulEncryptedDataLen = out_len;
856 return (CKR_OK);
857 }
858
859 if (*pulEncryptedDataLen < out_len) {
860 *pulEncryptedDataLen = out_len;
861 return (CKR_BUFFER_TOO_SMALL);
862 }
863
864 rc = aes_encrypt_contiguous_blocks(aes_ctx, (char *)pData, ulDataLen,
865 &out);
866
867 /*
868 * Since out.cd_offset is set to 0 initially and the underlying
869 * implementation increments out.cd_offset by the amount of output
870 * written, so we can just use the value as the amount written.
871 */
872 *pulEncryptedDataLen = out.cd_offset;
873
874 if (rc != CRYPTO_SUCCESS) {
875 return (CKR_FUNCTION_FAILED);
876 }
877
878 rv = crypto2pkcs11_error_number(rc);
879
880 return (rv);
881 }
882
883 CK_RV
soft_aes_decrypt_update(soft_session_t * session_p,CK_BYTE_PTR pEncryptedData,CK_ULONG ulEncryptedDataLen,CK_BYTE_PTR pData,CK_ULONG_PTR pulDataLen)884 soft_aes_decrypt_update(soft_session_t *session_p, CK_BYTE_PTR pEncryptedData,
885 CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
886 {
887 aes_ctx_t *aes_ctx = session_p->decrypt.context;
888 uint8_t *buffer_block = NULL;
889 crypto_data_t out = {
890 .cd_format = CRYPTO_DATA_RAW,
891 .cd_offset = 0,
892 .cd_length = *pulDataLen,
893 .cd_raw.iov_base = (char *)pData,
894 .cd_raw.iov_len = *pulDataLen
895 };
896 CK_MECHANISM_TYPE mech = session_p->decrypt.mech.mechanism;
897 CK_RV rv = CKR_OK;
898 size_t in_len = ulEncryptedDataLen;
899 size_t out_len;
900 int rc = CRYPTO_SUCCESS;
901
902 switch (mech) {
903 case CKM_AES_CCM:
904 case CKM_AES_GCM:
905 out_len = 0;
906 break;
907 case CKM_AES_CBC_PAD:
908 /*
909 * For CKM_AES_CBC_PAD, we use the existing code for CBC
910 * mode in libsoftcrypto (which itself uses the code in
911 * usr/src/common/crypto/modes for CBC mode). For
912 * non-padding AES CBC mode, aes_decrypt_contiguous_blocks()
913 * will accumulate ciphertext in aes_ctx->ac_remainder until
914 * there is at least AES_BLOCK_LEN bytes of ciphertext available
915 * to decrypt. At that point, as many blocks of AES_BLOCK_LEN
916 * sized ciphertext blocks are decrypted. Any remainder is
917 * copied into aes_ctx->ac_remainder for decryption in
918 * subsequent calls to aes_decrypt_contiguous_blocks().
919 *
920 * When PKCS#7 padding is used, the buffering
921 * aes_decrypt_contigous_blocks() performs is insufficient.
922 * PKCS#7 padding always adds [1..AES_BLOCK_LEN] bytes of
923 * padding to plaintext, so the resulting ciphertext is always
924 * larger than the input plaintext. However we cannot know
925 * which block is the final block (and needs its padding
926 * stripped) until C_DecryptFinal() is called. Additionally,
927 * it is permissible for a caller to use buffers sized to the
928 * output plaintext -- i.e. smaller than the input ciphertext.
929 * This leads to a more complicated buffering/accumulation
930 * strategy than what aes_decrypt_contiguous_blocks() provides
931 * us.
932 *
933 * Our buffering strategy works as follows:
934 * For each call to C_DecryptUpdate, we calculate the
935 * total amount of ciphertext available (buffered plus what's
936 * passed in) as the initial output size (out_len). Based
937 * on the value of out_len, there are three possibilties:
938 *
939 * 1. We have less than AES_BLOCK_LEN + 1 bytes of
940 * ciphertext available. Accumulate the ciphertext in
941 * aes_ctx->ac_remainder. Note that while we could let
942 * aes_decrypt_contiguous_blocks() buffer the input for us
943 * when we have less than AES_BLOCK_LEN bytes, we would still
944 * need to buffer when we have exactly AES_BLOCK_LEN
945 * bytes available, so we just handle both situations with
946 * one if clause.
947 *
948 * 2. We have at least AES_BLOCK_LEN + 1 bytes of
949 * ciphertext, and the total amount available is also an
950 * exact multiple of AES_BLOCK_LEN. We cannot know if the
951 * last block of input is the final block (yet), but we
952 * are an exact multiple of AES_BLOCK_LEN, and we have
953 * at least AES_BLOCK_LEN + 1 bytes available, therefore
954 * there must be at least 2 * AES_BLOCK_LEN bytes of input
955 * ciphertext available. It also means there's at least one
956 * full block of input ciphertext that can be decrypted. We
957 * reduce the size of the input (in_len) given to
958 * aes_decrypt_contiguous_bytes() by AES_BLOCK_LEN to prevent
959 * it from decrypting the last full block of data.
960 * aes_decrypt_contiguous_blocks() will when decrypt any
961 * buffered data in aex_ctx->ac_remainder, and then any
962 * input data passed. Since we have an exact multiple of
963 * AES_BLOCK_LEN, aes_ctx->ac_remainder will be empty
964 * (aes_ctx->ac_remainder_len == 0), once
965 * aes_decrypt_contiguout_block() completes, and we can
966 * copy the last block of data into aes_ctx->ac_remainder.
967 *
968 * 3. We have at least AES_BLOCK_LEN + 1 bytes of
969 * ciphertext, but the total amount available is not an
970 * exact multiple of AES_BLOCK_LEN. We decrypt all of
971 * full blocks of data we have. The remainder will be
972 * less than AES_BLOCK_LEN bytes. We let
973 * aes_decrypt_contiguous_blocks() buffer the remainder
974 * for us since it would normally do this anyway. Since there
975 * is a remainder, the full blocks that are present cannot
976 * be the last block, so we can safey decrypt all of them.
977 *
978 * Some things to note:
979 * - The above semantics will cause aes_ctx->ac_remainder to
980 * never accumulate more than AES_BLOCK_LEN bytes of
981 * ciphertext. Once we reach at least AES_BLOCK_LEN + 1 bytes,
982 * we will decrypt the contents of aes_ctx->ac_remainder by one
983 * of the last two scenarios described above.
984 *
985 * - We must always end up with AES_BLOCK_LEN bytes of data
986 * in aes_ctx->ac_remainder when C_DecryptFinal() is called.
987 * The first and third scenarios above may leave
988 * aes_ctx->ac_remainder with less than AES_BLOCK_LEN bytes,
989 * however the total size of the input ciphertext that's
990 * been decrypted must end up a multiple of AES_BLOCK_LEN.
991 * Therefore, we can always assume when there is a
992 * remainder that more data is coming. If we do end up
993 * with a remainder that's not AES_BLOCK_LEN bytes long
994 * when C_DecryptFinal() is called, the input is assumed
995 * invalid and we return CKR_DATA_LEN_RANGE (see
996 * soft_aes_decrypt_final()).
997 */
998
999 VERIFY3U(aes_ctx->ac_remainder_len, <=, AES_BLOCK_LEN);
1000 if (in_len >= SIZE_MAX - AES_BLOCK_LEN)
1001 return (CKR_ENCRYPTED_DATA_LEN_RANGE);
1002
1003 out_len = aes_ctx->ac_remainder_len + in_len;
1004
1005 if (out_len <= AES_BLOCK_LEN) {
1006 /*
1007 * The first scenario detailed above, accumulate
1008 * ciphertext in ac_remainder_len and return.
1009 */
1010 uint8_t *dest = (uint8_t *)aes_ctx->ac_remainder +
1011 aes_ctx->ac_remainder_len;
1012
1013 bcopy(pEncryptedData, dest, in_len);
1014 aes_ctx->ac_remainder_len += in_len;
1015 *pulDataLen = 0;
1016
1017 /*
1018 * Since we aren't writing an output, and are returning
1019 * here, we don't need to adjust out_len -- we never
1020 * reach the output buffer size checks after the
1021 * switch statement.
1022 */
1023 return (CKR_OK);
1024 } else if (out_len % AES_BLOCK_LEN == 0) {
1025 /*
1026 * The second scenario decribed above. The total amount
1027 * available is a multiple of AES_BLOCK_LEN, and
1028 * we have more than one block. We reduce the
1029 * input size (in_len) by AES_BLOCK_LEN. We also
1030 * reduce the output size (out_len) by AES_BLOCK_LEN
1031 * for the output buffer size checks that follow
1032 * the switch statement. In certain situations,
1033 * PKCS#11 requires this to be an exact value, so
1034 * the size check cannot occur for CKM_AES_CBC_PAD
1035 * until after we've determine which scenario we
1036 * have.
1037 *
1038 * Because we never accumulate more than AES_BLOCK_LEN
1039 * bytes in aes_ctx->ac_remainder, when we are in
1040 * this scenario, the following VERIFYs should always
1041 * be true (and serve as a final safeguard against
1042 * underflow).
1043 */
1044 VERIFY3U(in_len, >=, AES_BLOCK_LEN);
1045
1046 buffer_block = pEncryptedData + in_len - AES_BLOCK_LEN;
1047
1048 in_len -= AES_BLOCK_LEN;
1049
1050 /*
1051 * This else clause explicity checks
1052 * out_len > AES_BLOCK_LEN, so this is also safe.
1053 */
1054 out_len -= AES_BLOCK_LEN;
1055 } else {
1056 /*
1057 * The third scenario above. We have at least
1058 * AES_BLOCK_LEN + 1 bytes, but the total amount of
1059 * input ciphertext available is not an exact
1060 * multiple of AES_BLOCK_LEN. Let
1061 * aes_decrypt_contiguous_blocks() handle the
1062 * buffering of the remainder. Update the
1063 * output size to reflect the actual amount of output
1064 * we want to emit for the checks after the switch
1065 * statement.
1066 */
1067 out_len &= ~(AES_BLOCK_LEN - 1);
1068 }
1069 break;
1070 case CKM_AES_CTR:
1071 /*
1072 * CKM_AES_CTR is a stream cipher, so we always output
1073 * exactly as much output plaintext as input ciphertext
1074 */
1075 out_len = in_len;
1076 break;
1077 default:
1078 out_len = aes_ctx->ac_remainder_len + in_len;
1079 out_len &= ~(AES_BLOCK_LEN - 1);
1080 break;
1081 }
1082
1083 /*
1084 * C_DecryptUpdate() verifies that pulDataLen is not NULL prior
1085 * to calling soft_decrypt_common() (which calls us).
1086 */
1087
1088 if (pData == NULL) {
1089 /*
1090 * If the output buffer (pData) is NULL, that means the
1091 * caller is inquiring about the size buffer needed to
1092 * complete the C_DecryptUpdate() request. While we are
1093 * permitted to set *pulDataLen to an estimated value that can
1094 * be 'slightly' larger than the actual value required,
1095 * since we know the exact size we need, we stick with the
1096 * exact size.
1097 */
1098 *pulDataLen = out_len;
1099 return (CKR_OK);
1100 }
1101
1102 if (*pulDataLen < out_len) {
1103 /*
1104 * Not an inquiry, but the output buffer isn't large enough.
1105 * PKCS#11 requires that this scenario not fail fatally (as
1106 * well as return a different error value). This situation
1107 * also requires us to set *pulDataLen to the _exact_ size
1108 * required.
1109 */
1110 *pulDataLen = out_len;
1111 return (CKR_BUFFER_TOO_SMALL);
1112 }
1113
1114 rc = aes_decrypt_contiguous_blocks(aes_ctx, (char *)pEncryptedData,
1115 in_len, &out);
1116
1117 if (rc != CRYPTO_SUCCESS) {
1118 rv = CKR_FUNCTION_FAILED;
1119 goto done;
1120 }
1121
1122 *pulDataLen = out.cd_offset;
1123
1124 switch (mech) {
1125 case CKM_AES_CBC_PAD:
1126 if (buffer_block == NULL) {
1127 break;
1128 }
1129
1130 VERIFY0(aes_ctx->ac_remainder_len);
1131
1132 /*
1133 * We had multiple blocks of data to decrypt with nothing
1134 * left over and deferred decrypting the last block of data.
1135 * Copy it into aes_ctx->ac_remainder to decrypt on the
1136 * next update call (or final).
1137 */
1138 bcopy(buffer_block, aes_ctx->ac_remainder, AES_BLOCK_LEN);
1139 aes_ctx->ac_remainder_len = AES_BLOCK_LEN;
1140 break;
1141 }
1142
1143 done:
1144 return (rv);
1145 }
1146
1147 CK_RV
soft_aes_encrypt_final(soft_session_t * session_p,CK_BYTE_PTR pLastEncryptedPart,CK_ULONG_PTR pulLastEncryptedPartLen)1148 soft_aes_encrypt_final(soft_session_t *session_p,
1149 CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen)
1150 {
1151 aes_ctx_t *aes_ctx = session_p->encrypt.context;
1152 crypto_data_t data = {
1153 .cd_format = CRYPTO_DATA_RAW,
1154 .cd_offset = 0,
1155 .cd_length = *pulLastEncryptedPartLen,
1156 .cd_raw.iov_base = (char *)pLastEncryptedPart,
1157 .cd_raw.iov_len = *pulLastEncryptedPartLen
1158 };
1159 CK_MECHANISM_TYPE mech = session_p->encrypt.mech.mechanism;
1160 CK_RV rv = CKR_OK;
1161 size_t out_len;
1162 int rc = CRYPTO_SUCCESS;
1163
1164 switch (mech) {
1165 case CKM_AES_CBC_PAD:
1166 /*
1167 * We always add 1..AES_BLOCK_LEN of padding to the input
1168 * plaintext to round up to a multiple of AES_BLOCK_LEN.
1169 * During encryption, we never output a partially encrypted
1170 * block (that is the amount encrypted by each call of
1171 * C_EncryptUpdate() is always either 0 or n * AES_BLOCK_LEN).
1172 * As a result, at the end of the encryption operation, we
1173 * output AES_BLOCK_LEN bytes of data -- this could be a full
1174 * block of padding, or a combination of data + padding.
1175 */
1176 out_len = AES_BLOCK_LEN;
1177 break;
1178 case CKM_AES_CTR:
1179 /*
1180 * Since CKM_AES_CTR is a stream cipher, we never buffer any
1181 * input, so we always have 0 remaining bytes of output.
1182 */
1183 out_len = 0;
1184 break;
1185 case CKM_AES_CCM:
1186 out_len = aes_ctx->ac_remainder_len +
1187 aes_ctx->acu.acu_ccm.ccm_mac_len;
1188 break;
1189 case CKM_AES_GCM:
1190 out_len = aes_ctx->ac_remainder_len +
1191 aes_ctx->acu.acu_gcm.gcm_tag_len;
1192 break;
1193 case CKM_AES_CMAC:
1194 case CKM_AES_CMAC_GENERAL:
1195 out_len = AES_BLOCK_LEN;
1196 break;
1197 default:
1198 /*
1199 * Everything other AES mechansism requires full blocks of
1200 * input. If the input was not an exact multiple of
1201 * AES_BLOCK_LEN, it is a fatal error.
1202 */
1203 if (aes_ctx->ac_remainder_len > 0) {
1204 rv = CKR_DATA_LEN_RANGE;
1205 goto done;
1206 }
1207 out_len = 0;
1208 }
1209
1210 if (*pulLastEncryptedPartLen < out_len || pLastEncryptedPart == NULL) {
1211 *pulLastEncryptedPartLen = out_len;
1212 return ((pLastEncryptedPart == NULL) ?
1213 CKR_OK : CKR_BUFFER_TOO_SMALL);
1214 }
1215
1216 switch (mech) {
1217 case CKM_AES_CBC_PAD: {
1218 char block[AES_BLOCK_LEN] = { 0 };
1219 size_t padlen = AES_BLOCK_LEN - aes_ctx->ac_remainder_len;
1220
1221 if (padlen == 0) {
1222 padlen = AES_BLOCK_LEN;
1223 }
1224
1225 (void) memset(block, padlen & 0xff, sizeof (block));
1226 rc = aes_encrypt_contiguous_blocks(aes_ctx, block,
1227 padlen, &data);
1228 explicit_bzero(block, sizeof (block));
1229 break;
1230 }
1231 case CKM_AES_CTR:
1232 /*
1233 * Since CKM_AES_CTR is a stream cipher, we never
1234 * buffer any data, and thus have no remaining data
1235 * to output at the end
1236 */
1237 break;
1238 case CKM_AES_CCM:
1239 rc = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, &data,
1240 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
1241 break;
1242 case CKM_AES_GCM:
1243 rc = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, &data,
1244 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1245 aes_xor_block);
1246 break;
1247 case CKM_AES_CMAC:
1248 case CKM_AES_CMAC_GENERAL:
1249 rc = cmac_mode_final((cbc_ctx_t *)aes_ctx, &data,
1250 aes_encrypt_block, aes_xor_block);
1251 break;
1252 default:
1253 break;
1254 }
1255 rv = crypto2pkcs11_error_number(rc);
1256
1257 done:
1258 if (rv == CKR_OK) {
1259 *pulLastEncryptedPartLen = data.cd_offset;
1260 }
1261
1262 soft_aes_free_ctx(aes_ctx);
1263 session_p->encrypt.context = NULL;
1264 return (rv);
1265 }
1266
1267 CK_RV
soft_aes_decrypt_final(soft_session_t * session_p,CK_BYTE_PTR pLastPart,CK_ULONG_PTR pulLastPartLen)1268 soft_aes_decrypt_final(soft_session_t *session_p, CK_BYTE_PTR pLastPart,
1269 CK_ULONG_PTR pulLastPartLen)
1270 {
1271 aes_ctx_t *aes_ctx = session_p->decrypt.context;
1272 CK_MECHANISM_TYPE mech = session_p->decrypt.mech.mechanism;
1273 CK_RV rv = CKR_OK;
1274 int rc = CRYPTO_SUCCESS;
1275 size_t out_len;
1276 crypto_data_t out = {
1277 .cd_format = CRYPTO_DATA_RAW,
1278 .cd_offset = 0,
1279 .cd_length = *pulLastPartLen,
1280 .cd_raw.iov_base = (char *)pLastPart,
1281 .cd_raw.iov_len = *pulLastPartLen
1282 };
1283
1284 switch (mech) {
1285 case CKM_AES_CBC_PAD:
1286 /*
1287 * PKCS#11 requires that a caller can discover the size of
1288 * the output buffer required by calling
1289 * C_DecryptFinal(hSession, NULL, &len) which sets
1290 * *pulLastPartLen to the size required. However, it also
1291 * allows if one calls C_DecryptFinal with a buffer (i.e.
1292 * pLastPart != NULL) that is too small, to return
1293 * CKR_BUFFER_TOO_SMALL with *pulLastPartLen set to the
1294 * _exact_ size required (when pLastPart is NULL, the
1295 * implementation is allowed to set a 'sightly' larger
1296 * value than is strictly necessary. In either case, the
1297 * caller is allowed to retry the operation (the operation
1298 * is not terminated).
1299 *
1300 * With PKCS#7 padding, we cannot determine the exact size of
1301 * the output until we decrypt the final block. As such, the
1302 * first time for a given decrypt operation we are called,
1303 * we decrypt the final block and stash it in the aes_ctx
1304 * remainder block. On any subsequent calls in the
1305 * current decrypt operation, we then can use the decrypted
1306 * block as necessary to provide the correct semantics.
1307 *
1308 * The cleanup of aes_ctx when the operation terminates
1309 * will take care of clearing out aes_ctx->ac_remainder_len.
1310 */
1311 if ((aes_ctx->ac_flags & P11_DECRYPTED) == 0) {
1312 uint8_t block[AES_BLOCK_LEN] = { 0 };
1313 crypto_data_t block_out = {
1314 .cd_format = CRYPTO_DATA_RAW,
1315 .cd_offset = 0,
1316 .cd_length = sizeof (block),
1317 .cd_raw.iov_base = (char *)block,
1318 .cd_raw.iov_len = sizeof (block)
1319 };
1320 size_t amt, i;
1321 uint8_t pad_len;
1322
1323 if (aes_ctx->ac_remainder_len != AES_BLOCK_LEN) {
1324 return (CKR_DATA_LEN_RANGE);
1325 }
1326
1327 rc = aes_decrypt_contiguous_blocks(aes_ctx,
1328 (char *)block, 0, &block_out);
1329 if (rc != CRYPTO_SUCCESS) {
1330 explicit_bzero(block, sizeof (block));
1331 return (CKR_FUNCTION_FAILED);
1332 }
1333
1334 pad_len = block[AES_BLOCK_LEN - 1];
1335
1336 /*
1337 * RFC5652 6.3 The amount of padding must be
1338 * block_sz - (len mod block_size). This means
1339 * the amount of padding must always be in the
1340 * range [1..block_size].
1341 */
1342 if (pad_len == 0 || pad_len > AES_BLOCK_LEN) {
1343 rv = CKR_ENCRYPTED_DATA_INVALID;
1344 explicit_bzero(block, sizeof (block));
1345 goto done;
1346 }
1347 amt = AES_BLOCK_LEN - pad_len;
1348
1349 /*
1350 * Verify the padding is correct. Try to do so
1351 * in as constant a time as possible.
1352 */
1353 for (i = amt; i < AES_BLOCK_LEN; i++) {
1354 if (block[i] != pad_len) {
1355 rv = CKR_ENCRYPTED_DATA_INVALID;
1356 }
1357 }
1358 if (rv != CKR_OK) {
1359 explicit_bzero(block, sizeof (block));
1360 goto done;
1361 }
1362
1363 bcopy(block, aes_ctx->ac_remainder, amt);
1364 explicit_bzero(block, sizeof (block));
1365
1366 aes_ctx->ac_flags |= P11_DECRYPTED;
1367 aes_ctx->ac_remainder_len = amt;
1368 }
1369
1370 out_len = aes_ctx->ac_remainder_len;
1371 break;
1372 case CKM_AES_CTR:
1373 /*
1374 * Since CKM_AES_CTR is a stream cipher, we never have
1375 * any remaining bytes to output.
1376 */
1377 out_len = 0;
1378 break;
1379 case CKM_AES_CCM:
1380 out_len = aes_ctx->ac_data_len;
1381 break;
1382 case CKM_AES_GCM:
1383 out_len = aes_ctx->acu.acu_gcm.gcm_processed_data_len -
1384 aes_ctx->acu.acu_gcm.gcm_tag_len;
1385 break;
1386 default:
1387 /*
1388 * The remaining mechanims require an exact multiple of
1389 * AES_BLOCK_LEN of ciphertext. Any other value is an error.
1390 */
1391 if (aes_ctx->ac_remainder_len > 0) {
1392 rv = CKR_DATA_LEN_RANGE;
1393 goto done;
1394 }
1395 out_len = 0;
1396 break;
1397 }
1398
1399 if (*pulLastPartLen < out_len || pLastPart == NULL) {
1400 *pulLastPartLen = out_len;
1401 return ((pLastPart == NULL) ? CKR_OK : CKR_BUFFER_TOO_SMALL);
1402 }
1403
1404 switch (mech) {
1405 case CKM_AES_CBC_PAD:
1406 *pulLastPartLen = out_len;
1407 if (out_len == 0) {
1408 break;
1409 }
1410 bcopy(aes_ctx->ac_remainder, pLastPart, out_len);
1411 out.cd_offset += out_len;
1412 break;
1413 case CKM_AES_CCM:
1414 ASSERT3U(aes_ctx->ac_processed_data_len, ==, out_len);
1415 ASSERT3U(aes_ctx->ac_processed_mac_len, ==,
1416 aes_ctx->ac_mac_len);
1417
1418 rc = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, &out,
1419 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1420 aes_xor_block);
1421 break;
1422 case CKM_AES_GCM:
1423 rc = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, &out,
1424 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
1425 break;
1426 default:
1427 break;
1428 }
1429
1430 VERIFY3U(out.cd_offset, ==, out_len);
1431 rv = crypto2pkcs11_error_number(rc);
1432
1433 done:
1434 if (rv == CKR_OK) {
1435 *pulLastPartLen = out.cd_offset;
1436 }
1437
1438 soft_aes_free_ctx(aes_ctx);
1439 session_p->decrypt.context = NULL;
1440
1441 return (rv);
1442 }
1443
1444 /*
1445 * Allocate and initialize AES contexts for sign and verify operations
1446 * (including the underlying encryption context needed to sign or verify) --
1447 * called by C_SignInit() and C_VerifyInit() to perform the CKM_AES_* MAC
1448 * mechanisms. For general-length AES MAC, also validate the MAC length.
1449 */
1450 CK_RV
soft_aes_sign_verify_init_common(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,soft_object_t * key_p,boolean_t sign_op)1451 soft_aes_sign_verify_init_common(soft_session_t *session_p,
1452 CK_MECHANISM_PTR pMechanism, soft_object_t *key_p, boolean_t sign_op)
1453 {
1454 soft_aes_sign_ctx_t *ctx = NULL;
1455 /* For AES CMAC (the only AES MAC currently), iv is always 0 */
1456 CK_BYTE iv[AES_BLOCK_LEN] = { 0 };
1457 CK_MECHANISM encrypt_mech = {
1458 .mechanism = CKM_AES_CMAC,
1459 .pParameter = iv,
1460 .ulParameterLen = sizeof (iv)
1461 };
1462 CK_RV rv;
1463 size_t mac_len = AES_BLOCK_LEN;
1464
1465 if (key_p->key_type != CKK_AES)
1466 return (CKR_KEY_TYPE_INCONSISTENT);
1467
1468 /* C_{Sign,Verify}Init() validate pMechanism != NULL */
1469 if (pMechanism->mechanism == CKM_AES_CMAC_GENERAL) {
1470 if (pMechanism->pParameter == NULL) {
1471 return (CKR_MECHANISM_PARAM_INVALID);
1472 }
1473
1474 mac_len = *(CK_MAC_GENERAL_PARAMS *)pMechanism->pParameter;
1475
1476 if (mac_len > AES_BLOCK_LEN) {
1477 return (CKR_MECHANISM_PARAM_INVALID);
1478 }
1479 }
1480
1481 ctx = calloc(1, sizeof (*ctx));
1482 if (ctx == NULL) {
1483 return (CKR_HOST_MEMORY);
1484 }
1485
1486 rv = soft_aes_check_mech_param(pMechanism, &ctx->aes_ctx);
1487 if (rv != CKR_OK) {
1488 soft_aes_free_ctx(ctx->aes_ctx);
1489 goto done;
1490 }
1491
1492 if ((rv = soft_encrypt_init_internal(session_p, &encrypt_mech,
1493 key_p)) != CKR_OK) {
1494 soft_aes_free_ctx(ctx->aes_ctx);
1495 goto done;
1496 }
1497
1498 ctx->mac_len = mac_len;
1499
1500 (void) pthread_mutex_lock(&session_p->session_mutex);
1501
1502 if (sign_op) {
1503 session_p->sign.context = ctx;
1504 session_p->sign.mech.mechanism = pMechanism->mechanism;
1505 } else {
1506 session_p->verify.context = ctx;
1507 session_p->verify.mech.mechanism = pMechanism->mechanism;
1508 }
1509
1510 (void) pthread_mutex_unlock(&session_p->session_mutex);
1511
1512 done:
1513 if (rv != CKR_OK) {
1514 soft_aes_free_ctx(ctx->aes_ctx);
1515 free(ctx);
1516 }
1517
1518 return (rv);
1519 }
1520
1521 CK_RV
soft_aes_sign_verify_common(soft_session_t * session_p,CK_BYTE_PTR pData,CK_ULONG ulDataLen,CK_BYTE_PTR pSigned,CK_ULONG_PTR pulSignedLen,boolean_t sign_op,boolean_t Final)1522 soft_aes_sign_verify_common(soft_session_t *session_p, CK_BYTE_PTR pData,
1523 CK_ULONG ulDataLen, CK_BYTE_PTR pSigned, CK_ULONG_PTR pulSignedLen,
1524 boolean_t sign_op, boolean_t Final)
1525 {
1526 soft_aes_sign_ctx_t *soft_aes_ctx_sign_verify;
1527 CK_RV rv;
1528 CK_BYTE *pEncrypted = NULL;
1529 CK_ULONG ulEncryptedLen = AES_BLOCK_LEN;
1530 CK_BYTE last_block[AES_BLOCK_LEN];
1531
1532 if (sign_op) {
1533 soft_aes_ctx_sign_verify =
1534 (soft_aes_sign_ctx_t *)session_p->sign.context;
1535
1536 if (soft_aes_ctx_sign_verify->mac_len == 0) {
1537 *pulSignedLen = 0;
1538 goto clean_exit;
1539 }
1540
1541 /* Application asks for the length of the output buffer. */
1542 if (pSigned == NULL) {
1543 *pulSignedLen = soft_aes_ctx_sign_verify->mac_len;
1544 return (CKR_OK);
1545 }
1546
1547 /* Is the application-supplied buffer large enough? */
1548 if (*pulSignedLen < soft_aes_ctx_sign_verify->mac_len) {
1549 *pulSignedLen = soft_aes_ctx_sign_verify->mac_len;
1550 return (CKR_BUFFER_TOO_SMALL);
1551 }
1552 } else {
1553 soft_aes_ctx_sign_verify =
1554 (soft_aes_sign_ctx_t *)session_p->verify.context;
1555 }
1556
1557 if (Final) {
1558 rv = soft_encrypt_final(session_p, last_block,
1559 &ulEncryptedLen);
1560 } else {
1561 rv = soft_encrypt(session_p, pData, ulDataLen,
1562 last_block, &ulEncryptedLen);
1563 }
1564
1565 if (rv == CKR_OK) {
1566 *pulSignedLen = soft_aes_ctx_sign_verify->mac_len;
1567
1568 /* the leftmost mac_len bytes of last_block is our MAC */
1569 (void) memcpy(pSigned, last_block, *pulSignedLen);
1570 }
1571
1572 clean_exit:
1573
1574 (void) pthread_mutex_lock(&session_p->session_mutex);
1575
1576 /* soft_encrypt_common() has freed the encrypt context */
1577 if (sign_op) {
1578 free(session_p->sign.context);
1579 session_p->sign.context = NULL;
1580 } else {
1581 free(session_p->verify.context);
1582 session_p->verify.context = NULL;
1583 }
1584 session_p->encrypt.flags = 0;
1585
1586 (void) pthread_mutex_unlock(&session_p->session_mutex);
1587
1588 if (pEncrypted) {
1589 free(pEncrypted);
1590 }
1591
1592 return (rv);
1593 }
1594
1595 /*
1596 * Called by soft_sign_update()
1597 */
1598 CK_RV
soft_aes_mac_sign_verify_update(soft_session_t * session_p,CK_BYTE_PTR pPart,CK_ULONG ulPartLen)1599 soft_aes_mac_sign_verify_update(soft_session_t *session_p, CK_BYTE_PTR pPart,
1600 CK_ULONG ulPartLen)
1601 {
1602 CK_BYTE buf[AES_BLOCK_LEN];
1603 CK_ULONG ulEncryptedLen = AES_BLOCK_LEN;
1604 CK_RV rv;
1605
1606 rv = soft_encrypt_update(session_p, pPart, ulPartLen,
1607 buf, &ulEncryptedLen);
1608 explicit_bzero(buf, sizeof (buf));
1609
1610 return (rv);
1611 }
1612
1613 /*
1614 * Compare with crypto_free_mode_ctx()
1615 * in $SRC/common/crypto/modes/modes.c
1616 */
1617 void
soft_aes_free_ctx(aes_ctx_t * ctx)1618 soft_aes_free_ctx(aes_ctx_t *ctx)
1619 {
1620 size_t len = 0;
1621
1622 if (ctx == NULL)
1623 return;
1624
1625 if (ctx->ac_flags & ECB_MODE) {
1626 len = sizeof (ecb_ctx_t);
1627 } else if (ctx->ac_flags & (CBC_MODE|CMAC_MODE)) {
1628 len = sizeof (cbc_ctx_t);
1629 } else if (ctx->ac_flags & CTR_MODE) {
1630 len = sizeof (ctr_ctx_t);
1631 } else if (ctx->ac_flags & CCM_MODE) {
1632 ccm_ctx_t *ccm_ctx = &ctx->acu.acu_ccm;
1633 if (ccm_ctx->ccm_pt_buf != NULL) {
1634 freezero(ccm_ctx->ccm_pt_buf,
1635 ccm_ctx->ccm_data_len);
1636 ccm_ctx->ccm_pt_buf = NULL;
1637 }
1638 len = sizeof (ccm_ctx_t);
1639 } else if (ctx->ac_flags & GCM_MODE) {
1640 gcm_ctx_t *gcm_ctx = &ctx->acu.acu_gcm;
1641 if (gcm_ctx->gcm_pt_buf != NULL) {
1642 freezero(gcm_ctx->gcm_pt_buf,
1643 gcm_ctx->gcm_pt_buf_len);
1644 gcm_ctx->gcm_pt_buf = NULL;
1645 }
1646 len = sizeof (gcm_ctx_t);
1647 }
1648
1649 freezero(ctx->ac_keysched, ctx->ac_keysched_len);
1650 freezero(ctx, len);
1651 }
1652